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Amendments to the Claims 

1 Claim 1 (currently amended): A computer-implemented method of provisioning o ne or m o re 

2 software resources of an aggregated service in a computing network, comprising steps of: 

3 defining a provisioning intufdic of th e ag gr egated scivic c , 

4 specifying t he p r ovisioning iiit e ifac^ in a service description document, 

5 obtaining credentials of a user [[of\] who requests to access an [[the]] aggregated 

6 service[[J] according to t he service d escription docum e nt, 

7 Iqcatinfi, in a netw ork-accessible registry, a service description document sp ecifoinp a 

8 provisioning interface for the aggregated servicevthe aggregated service comprising an 

9 aggregation of a plurality of sub-services and the provisioning interface specifying how to invoke 

10 identity functions of the ag gregated service: 

1 1 analyzing the obtained credentials bv invokin g one or more of the identity functions, 

12 according tp the specificatio n thereof j n the provisioning int erface, to determine whether the user 

13 ^.authenticated for, and/or is authorized for, accessing the aggregated service: and 

14 allowing the user to perform access the aggregated service only if indtcated-by-the 

15 analyzing step has a successful result 



1 Claim 2 (cunently amended): The computer-im plemented method according to Claim 1, 

2 whe yein an implementation of each of the identify functions of the aggregated service is p rovided 

3 by at least one of the su b -services, farther comp r ises step ^ r egistering ftft servic e 

4 description document in a registry: 
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1 Claim 3 (currently amended): The computer-iiq plementeH method according to Claim [[2]] I, 

2 wherein: 

3 at least one of the suh- senqces has a loc al provisioning interface, the local provisioning 

4 interface specifi e d m a correspond i ng s e rvice description document and comp rising a 

5 specification of how to invoke one or more identity functions of the sub-service; and 

6 the identity funct ions fa the provisioning interface of the aggregated service are selected 

7 from the local provisio ning interfaces: and further comprising the [[steps]] stee of: 

8 controls access to each of .the sub-services having the l ocal provisioni ng interface, 

9 further comprising the step s of: 

10 determining whether the user is auth enticated for, and/or auth orized for, accessing 

11 the sub- seyvice by invoking at least one of the one or more identity functions of the sub-service. 

12 according to the specification thereo f in the local provisioningjnterface: and 

13 aMBg the user t Q access the sub-service only if the determin ing step has a 

14 successful result. 

15 defining a proviMunhig iuiufdu, of At Itui u ui of die one or more software r esomiea of 

16 the aggregated scrvic erand 

17 fo r each of the at lu*>l one softwMi resource, specifying the proviskuiiiig inteifau, uf jl 

18 « **** performed by die mftwam ii& u urcc in Or, sci viu, dcAuipli o n docunuuit o r iu u m u i muji e 

19 other servic e descripti o n doaiments r 

1 Claim 4 (currently amended): The computer-implemented method according to Claim 3, 

2 wherein: 
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3 the step of obtaining credentials of the user of dm aggiigdicd service a lso obtains sub- 

4 service credentials for at least one of the sub-services having the local provisioning interface: and 

5 the detemii n ingLstep uses the obtained suVservic^jctedentials, t he at leas t o ne so ft ware 

6 resource, acco rd ing to the se r vice description docum en t or the one o r m o r e ot h er serv i c e 

7 des cr i pt i o n d o cumen t s; and — 

8 fu rt he r c o m p rising the step of all o wing the us er t o perform selected services represented 

9 by the p r o visi o ning in t erfaces of the a t least o ne so ft ware resource, if indica te d by the anal yz in g 
10 step? 

1 Claim 5 (currently amended): The computer-implemented method according to Claim [[4]] r, 

2 wherein: 

3 one or mor e_gperatjons of at least one of the sub-services is access-protected: 

4 f urthe r c o m p rising the step of obtaining step further comprises obtaining, for at least one 

5 of the acces s^protected operations, operation-specific credentials of the userf|Y}J :_and further 

6 P.Qm ppsijig the step of: 

7 controllin g access to each of atJeast one of the access-protected operations, further 

8 conrorisinsLthe steps of: 

9 and wherein the step analyzing the obtained operation-specific credentials bv invoking 

10 one of more of the identity functions, according to the specification thereof in the provisioning 

11 interface, to determine whether the user can access the access-protected operation: and 

12 [[of]] allowing the user to access the access-protected operation only if the step of 



analyzing the obtained operation-s p ecific credentials has a successful result, p erform Ailn tu d 
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14 services depends on th e opcration^pcciCc u e denlials uf Uai selected service: 
Claim 6 (canceled) 

1 Claim 7 (currently amended): The computer-implemented method according to Claim 1 , 

2 wherein identity information obtained bv invoking one or more of the identity functions is 

3 programmatically relayed among atJeast two of the sub-services d^txibulul &u vIlue performed 

4 by Uii &oflw an, muiiic es of the aggregated service. 

1 Claim 8 (currently amended): The cnnipii^i mP iemented method according to Claim 7, 

2 wherein the programmatic relaying comprises sending a message which specifies the credentials 

3 identity informatfan in aheader of the message and which specifies a service request hi a body of 

4 the message. 

1 Claim 9 (currently amended): The computer-impl emented method according to Claim 8, 

2 wherein the message is a SOAP ("Simple Object Access Protocol") message. 

1 Claim 1 0 (currently amended): The computer-implemented method according to Claim 1 , 

2 wherein the service description document is specified in a markup language. 

1 Claim 1 1 (currently amended): The computer-implemented method according to Claim 10, 

2 wherein the markup language is Web Services Description Language ("WSDL"). 
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1 Claim 1 2 (currently amended): The computer-imp lemented method according to Claim 2, 

2 wherein the network-accessible registry is a wtwuik - dcccssibl e icgi&Uy accessed using 

3 standardized messages. 

1 Claim 13 (currently amended): A system for provisioning o ne o r mora soJbvm xcs o uicca uf an 

2 aggregated service in a computing network, comprising; 

3 means for defining a provisioning interface of the aggregated service; 

4 means for specifying the provisioning interface in a service description document; 

5 means for obtaining credentials of a user [[of]] who requests to access an [[the]] 

6 aggregated servic e, accoMing to die scrvite des c ripti o n document ; 

7 means for loc atfag, in a network-accessi ble registry, a service description document 

8 specifying a provisioning interface for the aggregated service, the aggregated service comprising 

9 m aggregation of a plurality of sub-s ervices and tihe provisioning interface specifying how to 

10 invoke identity functions of the aggregated service: 

1 1 means for analyzing the obtained credentials by invoking one or more of the identity 

12 functions , accottiing to the specification thereof in the provisioning interface, to determine 

13 whether the user is authenticated for, an d/or is authorized for, accessing the aggregated service: 

14 and 

15 means for allowing the user to perform access the aggregated service only if in d icated by 

1 6 the means for analyzing has a successful result . 
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1 Claim 1 4 (currently amended): A computer program product for provisioning one o r m o re 

2 software resources of an aggregated service in a computing network, the computer program 

3 product embodied on one or more computer-readable media and comprising: 

4 computcr^rtadable prog r am code means f o r d efining a provisi o ning in t erfac e of the 

5 agg re gated se r vice; 

6 computcr-ncadabl e p rog r am uxli means for specifying t he p r ovisioniug iiilufati in j 

7 service desc ri p ti o n d o cum ent ; 

8 computer-readable program code means for obtaining credentials of a user [[of]] who 

9 requests to access an [[the]] aggregated servic e, according to the serv i ce description duimucut; 
10 pp.mroiter-readable program code meansior locating, in a network-accessible registry, a 
U service description document specifying aptovisioning interface for the aggregated service, the 

12 aggregated service comprising an aggregation of a plurality of sub-services and the provisionin g 

13 interfac e , specifying how to invoke identity functions of the aggregated service: 

1 4 computer-readable program code means for analyzing the obtained credentials fey 

'5 invoking one or more of the identity functions, according to the specification thereof in the 

16 provisioning, interface, to determine whether the user is authenticated for, and/or is authorised 

17 for, accessing the aggregated service: and 

1 8 computer-readable program code means for allowing the user to perform access the 

1 9 aggregated service only if indicated by the computer-readable program code means for analyzing 

20 bas a successfiil result. 



1 Claim 1 5 (new): The method according to Claim 1, wherein an implementation of at least one of 
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2 the sub-services is located dynamically, at run-time. 

1 Claim 16 (new): The method according to Claim 7, wherein the identity information is initially 

2 obtained as a resul t of the analyzing step. 

1 Claim 17 (new): The method according to Claim 7, wherein the identity information comprises 

2 an authentication token generated by one of the invoked identity functions. 

1 Claim 1 8 (new): The method according to Claim 1, wherein: 

2 at least two of the sub-services each have associated therewith an identity system for 

3 access control thereto; 

4 at least two of the associated identity systems are heterogeneous; and 

5 at least one selected one of the identity functions of the aggregated service enables 

6 dynamically joining at least two of the heterogeneous identity systems. 

1 Claim 19 (new): The method according to Claim 1 8, wherein the at least one selected identity 

2 function, upon invocation, identifies the identity system that stores information pertaining to 

3 users of the sub-service with which thai identity system is associated. 

1 Claim 20 (new): The method according to Claim 1 9, wherein the dynamic joining is enabled by 

2 relaying the identification of the identity system among the dynamically-joined identity systems. 
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